b"                                                        IG-98-005\n\n\nAUDIT\nREPORT\n                           NASA DATA CENTER GENERAL CONTROLS\n                                 JOHNSON SPACE CENTER\n\n\n                                     January 29, 1998\n\n\n\n\n                           OFFICE OF INSPECTOR GENERAL\n\nNational Aeronautics and\n Space Administration\n\x0cADDITIONAL COPIES\n\nTo obtain additional copies of this audit report, contact the Assistant Inspector General for\nAuditing at 202-358-1232.\n\nSUGGESTIONS FOR FUTURE AUDITS\n\nTo suggest ideas for or to request future audits, contact the Assistant Inspector General for\nAuditing. Ideas and requests can also be mailed to:\n\n               Assistant Inspector General for Auditing\n               NASA Headquarters\n               Code W\n               300 E St., SW\n               Washington, D.C. 20546\n\nNASA HOTLINE\n\nTo report fraud, waste, abuse, or mismanagement, contact the NASA OIG Hotline by\ncalling 1-800-424-9183; 1-800-535-8134 (TDD); or by writing the NASA Inspector\nGeneral, P.O. Box 23089, L'Enfant Plaza Station, Washington, D.C. 20026. The identity of\neach writer and caller can be kept confidential upon request to the extent permitted by law.\n\n\n\n\n              ACRONYMS\n\nFEIDS         Flight Equipment Interface Devices\nJSC           Johnson Space Center\nKSC           Kennedy Space Center\nMSFC          Marshall Space Flight Center\nNASA          National Aeronautics and Space Administration\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\nPCZ           Physical Control Zone\nSPF           Software Production Facility\nSTS           Space Transportation System\nUPS           Uninterruptable Power Source\nUSA           United Space Alliance\n\x0c                                      TABLE OF CONTENTS\n\nBACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\nOBSERVATIONS AND RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\n\n        STRENGTHEN PHYSICAL ACCESS CONTROLS TO THE SPF . . . . . . . . . . . . . 3\n\n        EVALUATE NEED FOR PROTECTION FROM POWER OUTAGES . . . . . . . . . . 6\n\n\nAPPENDIX 1 - OBJECTIVES, SCOPE, AND METHODOLOGY . . . . . . . . . . . . . . . A-1-1\n\nAPPENDIX 2 - RELEVANT POLICIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2-1\n\nAPPENDIX 3 - JSC RESPONSE, DATED JANUARY 15, 1998 . . . . . . . . . . . . . . . A-3-1\n\nAPPENDIX 4 - REPORT DISTRIBUTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4-1\n\n\n\n\n                                                        i\n\x0c             DATA CENTER GENERAL CONTROLS\n\n\nBACKGROUND\n\n                 Johnson Space Center (JSC) has several large computer facilities\n                 supporting various mission operations. These facilities are:\n\n                 \xe2\x80\xa2       Software Production Facility (SPF)\n                 \xe2\x80\xa2       Shuttle Avionics and Integration Laboratory\n                 \xe2\x80\xa2       Shuttle Mission Training Facility\n                 \xe2\x80\xa2       Integrated Planning System\n                 \xe2\x80\xa2       Mission Control Center\n\n                 We limited our audit to the SPF data center. United Space Alliance\n                 (USA) operates and manages the facility under the Space Flight\n                 Operations Contract, NAS9-20000. USA is a joint venture of Boeing\n                 Aerospace and Lockheed Martin Corporation. We selected the\n                 facility because it plays a major role in the preparation of space flights\n                 for the Space Shuttle Program.\n\n                 The SPF assimilates the unique hardware and software configuration\n                 requirements for each Space Transportation System (STS) flight. The\n                 SPF staff develops and customizes orbiter flight software for each\n                 specific space shuttle mission. After exhaustive verification, SPF\n                 transmits this software to the Kennedy Space Center (KSC) for\n                 loading onboard the space shuttle. The facility also generates mission-\n                 specific products and reconfigures ground based software to support\n                 specific flight profiles and payloads. The entire National Aeronautics\n                 and Space Administration (NASA) STS program, as well as KSC,\n                 Marshall Space Flight Center (MSFC), Boeing Aerospace North\n                 America, and JSC, utilizes the SPF for data collection, review, and\n                 approval.\n\n                 The SPF facility consists of two Hosts, Automated Operations, Flight\n                 Equipment Interface Devices (FEIDS) and a Harris Night Hawk\n                 Firewall. The Hosts consist of two International Business Machines\n                 plug-compatible Amdahl Central Processing Units and associated\n                 standard peripheral devices. Custom built automation computer\n                 hardware operates the mainframes 7 days-a-week, 24 hours-a-day.\n                 The FEIDS, custom built computer hardware, check flight software\n\n\n                                    1\n\x0cfor proper execution. The firewall monitors and controls traffic\nbetween the network and the subnets. Interactive and/or batch file\ntransfer is authorized to and from any authorized SPF user on a\nconnected network. Authorized interactive SPF users are Boeing\nAerospace North America, Loral, JSC, KSC, MSFC, and USA.\n\n\n\n\n                 2\n\x0cOBSERVATIONS AND RECOMMENDATIONS\n\nOVERALL EVALUATION   SPF's physical and environmental protection and comprehensive\n                     operating procedures are adequate. USA has done a highly\n                     commendable job of operating the SPF facility. Dedicated data center\n                     personnel provide their users with baseline flight data, reconfiguration\n                     software tools, and a management control structure that should\n                     provide for a reliable computing environment. This report provides\n                     recommendations we believe will help improve SPF management\n                     controls. These recommendations address issues in the areas of\n                     security and environmental control. Our audit objectives, scope, and\n                     methodology are discussed in Appendix 1 of this report. Applicable\n                     criteria associated with our recommendations are identified in\n                     Appendix 2.\n\nSTRENGTHEN           JSC Security provides a comprehensive security program supporting\nPHYSICAL ACCESS      NASA and JSC resources and programs, including the protection of\nCONTROLS TO THE      personnel, information, equipment, operations and facilities. Their\n                     physical security program includes controlling site entry and access to\nSPF                  critical facilities and resources. Written procedures exist for\n                     contractors to notify JSC Security when employees are terminated or\n                     otherwise have their access revoked. Written procedures also exist to\n                     ensure that the physical access control system, known as the Central\n                     Security Control System, is updated in a timely manner. However,\n                     these procedures are not always being followed. As a result,\n                     individuals no longer needing SPF physical access may still have it.\n\n                     Physical access to the SPF is granted to those individuals who have a\n                     valid business need. In a list dated January 18, 1997, the Central\n                     Security Control System identified 777 individuals with SPF access.\n                     We sampled 57 individuals to validate their need for physical access.\n                     Our sample identified 25 individuals who did not need physical access\n                     but remained on the physical access list. Of the 25, 20 were not\n                     current employees. Five were current employees but no longer\n                     needed physical access.\n\n                     The procedures state NASA contractors should notify JSC Security\n                     in writing when individuals terminate or otherwise have their access\n                     revoked. According to a JSC Physical Security Specialist, the\n                     contractors are not always notifying JSC in a timely manner.\n\n                                        3\n\x0c                   However, in one instance noted in our testing, a contractor notified\n                   JSC Security of several individuals that no longer needed SPF physical\n                   access. These individuals remained on the physical access list. The\n                   JSC Physical Security Specialist could not determine why the\n                   individuals where not removed from the list.\n\n                   Without following the procedures in place, the SPF is susceptible to\n                   physical access by individuals who no longer require it to perform\n                   their jobs. This increases the possibility of losses from intentional or\n                   accidental damage, destruction, or theft of equipment and data.\n\nRECOMMENDATION 1   The Chief, Security Branch, Center Operations Directorate, should\n                   enforce existing operating procedures to ensure that contractors\n                   provide timely written information regarding terminations/revocations\n                   of employees with physical access to the SPF facility.\n\nManagement's       As stated in the report, procedures are in place to ensure that only\nResponse           individuals requiring access to the Software Production Facility (SPF)\n                   be allowed to enter. Contractors are obligated to notify JSC Security\n                   when an employee terminates. The access lists are reviewed\n                   periodically, and if a person has not used his or her card to gain access\n                   to a controlled area within the past six months, that person\xe2\x80\x99s access\n                   privileges are deleted. The Designated Approving Officials for each\n                   of the controlled areas also perform an annual review and\n                   recertification of all personnel with access privileges. This require-\n                   ment is found in the JSC Security Manual, Section 8.1.8 which states:\n                   ?\xe2\x80\xa6Contractor personnel having a local personnel or security office\n                   surrender their badge to the respective authorized company\n                   representative before termination. The badge is then returned to the\n                   Security Division with written notification of the individual\n                   employee\xe2\x80\x99s termination. All other persons possessing a badge return\n                   it to their JSC sponsor or directly to Security.\xe2\x80\x9d Paragraph 11.5.2\n                   states: ?\xe2\x80\xa6The badge office must be notified immediately when an\n                   employee with PCZ access terminates. When so notified, the\n                   individual\xe2\x80\x99s access to all PCZ will be deleted.\xe2\x80\x9d\n\n                   There is currently no requirement in the JSC Security Manual to\n                   require a contractor to notify JSC Security when a change in a work\n                   assignment results in the loss of the employee\xe2\x80\x99s need for access. We\n                   recognized the need for this, and the JSC Security Division has been\n                   working with JSC procurement officials to develop standard contract\n                   clauses requiring contractors to provide notification to JSC Security\n                   when an employee\xe2\x80\x99s need for access to controlled areas changes. A\n\n\n                                      4\n\x0c                   Data Requirements Description (DRD) titled, ?Security Reporting\n                   Requirements,\xe2\x80\x9d was drafted by the JSC Industrial Security Specialist\n                   and submitted to procurement in July 1997.\n\n                   The DRD requires, among other things: ?Provide the following\n                   information...d. - Change in a cleared employee\xe2\x80\x99s status and/or an\n                   employee participating in special access programs such as the Mission\n                   Critical Space Systems Personnel Reliability Program (PRP), NASA\n                   Resource Protection (NRP) Program, and Information Technology\n                   (IT/AIS) Security Program (i.e., name, marital status, citizenship,\n                   death, termination of employment or clearance, different position or\n                   work assignment/relocation, employee becomes a representative of a\n                   foreign interest, etc.)\xe2\x80\x9d\n\n                   This clause was added to Lockheed Martin Contract NAS9-19100 on\n                   August 1, 1997, as modification #69. The clause is now undergoing\n                   legal and procurement review and approval to become a standard\n                   clause in all JSC contracts.\n\n                   All Security personnel will be reminded to adhere to the procedures.\n                   With procedures in place and actions underway to strengthen those\n                   procedures, and your acceptance of those actions, we will consider\n                   this recommendation closed on issuance of the final report.\n\nEvaluation of      We have reviewed the information related to recommendation 1 and\nManagement's       management's response to the recommendation.              We feel\nResponse           management's actions are responsive to our concern. As a result, we\n                   consider this recommendation closed.\n\nRECOMMENDATION 2   The Chief, Security Branch, Center Operations Directorate, should\n                   enforce existing operating procedures to ensure all\n                   terminations/revocations are immediately entered into the Central\n                   Security Control System.\n\nManagement's       All Security Division personnel will be reminded to adhere to the\nResponse           existing procedures. The JSC Security Manual states in Chapter\n                   11.5.2 Terminations: ?When an individual terminates Government or\n                   contractor employment, he/she is responsible for turning in his/her\n                   PCZ card. NASA employees will not be allowed to clear the site until\n                   their PCZ cards have been returned to the Security Division. For\n                   contractor or other Government agency employees, a corporate\n                   security officer or responsible agency official will retrieve the PCZ\n\n\n\n                                     5\n\x0c                    card at the same time the JSC badge is retrieved. \xe2\x80\xa6The badge office\n                    must be notified immediately when an employee with PCZ access\n                    terminates. When so notified, the individual\xe2\x80\x99s access to all PCZ\xe2\x80\x99s will\n                    be deleted. If the employee has been terminated for cause, he/she\n                    must be denied PCZ access at the same time he/she is notified of\n                    termination. This will be done by notifying the Security Division of\n                    the termination before notifying the employee. The building 1 security\n                    receptionist will furnish the building 30 badge office a monthly list of\n                    expired visit requests, which will be checked against the PCZ master\n                    access list. Any person whose clearance expired will no longer be\n                    allowed PCZ access.\xe2\x80\x9d\n\n                    Detailed procedures on how to complete terminations in the Central\n                    Security Control System (CSCS) are found in the Mission Control\n                    Center Procedures and Training Manual, section 12, which is located\n                    in the Building 30 Badge Office, room 1100. All Security personnel\n                    will be reminded to immediately enter data into the Central Security\n                    Control System.\n\n                    With these procedures in place and reminders to employees to follow\n                    them, we will consider this recommendation closed on issuance of the\n                    final report.\n\nEvaluation of       We have reviewed the information related to recommendation 2 and\nManagement's        management's response to the recommendation.            We feel\nResponse            management's action is responsive to our concern. As a result, we\n                    consider this recommendation closed.\n\nEVALUATE NEED FOR   An Uninterruptable Power Source (UPS) forms a defense strategy\nPROTECTION FROM     against power problems. A UPS is a power conditioning and supply\nPOWER OUTAGES       system. It provides protection against short-term power outages until\n                    the user can start a backup generator or shut down the computer and\n                    network systems safely. It also provides for cleaner power which may\n                    help reduce computer maintenance needs. The SPF is not protected\n                    with a UPS. USA does not believe a UPS is required or cost-\n                    justified. However, a feasibility study or a cost/benefit analysis has\n                    not been conducted. Without a UPS, the SPF is vulnerable to data\n                    loss during a commercial power outage. USA believes the current\n                    commercial power source, Houston Lighting and Power, is reliable\n                    because the SPF has never been down for long periods due to a power\n                    outage. In our opinion, a UPS is a generally accepted protection\n                    system. A UPS prevents information loss, reduces interruption, and\n                    provides reasonable continuity of computer services should adverse\n\n\n                                       6\n\x0c                   events occur that would prevent normal operations. We believe a\n                   UPS feasibility study and cost/benefit analysis should be conducted.\n\nRECOMMENDATION 3   The Space Shuttle Program Office should conduct a feasibility study\n                   and a cost/benefit analysis for a UPS.\n\n\nManagement's       The Software Production Facility is a vital Shuttle resource and we\nResponse           agree with the finding and intent of the recommendation. The USA\n                   will perform a feasibility study and cost/benefit analysis to include a\n                   summary of any power related SPF changes through the report date.\n                   This will be completed by March 30, 1998.\n\nEvaluation of      The action to be taken by USA is responsive to our concern. We will\nManagement's       review the contractor's feasibility study and cost/benefit analysis and,\nResponse           therefore, request to be included in the concurrence cycle for closure\n                   of the recommendation.\n\n\n\n\n                                      7\n\x0c                                                                               APPENDIX 1\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nOBJECTIVES         The objective of the audit is to determine whether an adequate internal\n                   control structure has been established to provide for a reliable Software\n                   Production Facility (SPF) computing environment, including:\n\n                   C      physical and environmental protection, and\n                   C      comprehensive operating procedures.\n\nSCOPE AND          We interviewed Johnson Space Center (JSC) civil service and United\nMETHODOLOGY        Space Alliance (USA) contractor personnel to understand the general\n                   SPF controls and procedures. We reviewed JSC and USA SPF\n                   standards, policies and procedures. We toured the SPF facility and\n                   reviewed records to evaluate physical security and environmental\n                   conditions. We sampled physical access and authorized computer users\n                   lists to evaluate security controls.\n\nMANAGEMENT         We reviewed general operating policies, procedures, and standards for\nCONROLS            the following data center areas:\nREVIEWED\n                   \xe2\x80\xa2      agency review and monitoring,\n                   \xe2\x80\xa2      physical security,\n                   \xe2\x80\xa2      environmental protection,\n                   \xe2\x80\xa2      general computer operations activities,\n                   \xe2\x80\xa2      library functions,\n                   \xe2\x80\xa2      job scheduling,\n                   \xe2\x80\xa2      data communications networks,\n                   \xe2\x80\xa2      storage management,\n                   \xe2\x80\xa2      file retention and backup/recovery procedures,\n                   \xe2\x80\xa2      software change management, and\n                   \xe2\x80\xa2      lights-out operations.\n\nAUDIT FIELD WORK   We performed field work at JSC from November 1996 to July 1997.\n                   We conducted the audit in accordance with generally accepted\n                   government auditing standards.\n\n\n\n\n                                     A-1-1\n\x0c                                                                                APPENDIX 2\n\n\nRELEVANT POLICIES\n\nSECTION 4.17.3 OF   states when the Building 30 Security Badging Office is informed that\nJSC CENTRAL         an individual no longer has authorized Physical Control Zone (PCZ)\nSECURITY CONTROL    access, the receptionist will immediately delete all access from the\n                    system and retrieve, if possible, the PCZ badge. This operating policy\nSYSTEM OPERATING    applies to Recommendations 1 and 2.\nPROCEDURES,\nREVISION B\n                    states the NASA or JSC badge is returned to the Security Division\nSECTION 8.1.8 OF    when it is no longer needed... Contractor personnel having a local\nJSCM 1600D, JSC     personnel or security office surrender their badge to the respective\nSECURITY MANUAL     authorized company representative before termination. The badge is\n                    then returned to the Security Division with written notification of the\n                    individual employee's termination. This operating policy applies to\n                    Recommendations 1 and 2.\n\nSECTION 11.5.2 OF   states when an individual terminates Government or contractor\nJSCM 1600D, JSC     employment, he/she is responsible for turning in his/her PCZ card...\nSECURITY MANUAL     For contractor or other Government agency employees, a corporate\n                    security officer or responsible agency official will retrieve the PCZ\n                    card at the same time the JSC badge is retrieved. The PCZ card will\n                    be protected and either delivered to the Building 30 Security Badging\n                    Office or mailed to the Security Division as soon as possible. The\n                    badge office must be notified immediately when an employee with\n                    PCZ access terminates. When so notified, the individual's access to\n                    all PCZ's will be deleted. This operating policy applies to\n                    Recommendations 1 and 2.\n\nAPPENDIX III,       states agencies shall implement and maintain a program to assure\nSECTION A.3 OF      adequate security is provided for all agency information collected,\nOFFICE OF           processed, transmitted, stored or disseminated in general support\n                    systems and major applications. Among other things, application\nMANAGEMENT AND      security plans shall provide for establishing and periodically testing the\nBUDGET (OMB)        capability to perform the agency function supported by the application\nCIRCULAR A-130      in the event of failure of its automated support. This operation policy\n                    applies to Recommendation 3.\n\n\n\n\n                                     A-2-1\n\x0cSection 302(f) of   states appropriate disaster recovery plans and contingency plans must\nNASA Handbook       be established and maintained to prevent loss of information, minimize\n2410.9A             interruption, and provide reasonable continuity of computer and\n                    network services should adverse events occur that would prevent\n                    normal operations. This operations policy applies to Recommendation\n                    3.\n\nGOOD BUSINESS       The OMB and NASA Handbook criteria do not specifically address\nPRACTICES           an Uninterruptable Power Source (UPS) as part of adequate\n                    contingency planning. However, good business practices would\n                    dictate an undesirable condition exists when a UPS does not protect\n                    a critical system, such as the SPF. This practice applies to\n                    Recommendation 3.\n\n\n\n\n                                    A-2-2\n\x0c                                                                           APPENDIX 4\n\n\nREPORT DISTRIBUTION LIST\n\nNational Aeronautics and Space Administration (NASA) Officials-In-Charge\n\nCode A/Office of the Administrator\nCode AD/Deputy Administrator\nCode AO/Chief Information Officer\nCode B/Chief Financial Officer\nCode B/Comptroller\nCode G/General Counsel\nCode J/Associate Administrator for Management Systems and Facilities\nCode JM/Management Assessment Division (10 copies)\nCode L/Associate Administrator for Legislative Affairs\nCode M/Associate Administrator for Space Flight\nCode MC/CIO Representative\nCode MX/Audit Liaison\n\nNASA Director, Field Installations\n\nAmes Research Center\nDryden Flight Research Center\nGoddard Space Flight Center\nJet Propulsion Laboratory\nJohn F. Kennedy Space Center\nLangley Research Center\nLewis Research Center\nGeorge C. Marshall Space Flight Center\nJohn C. Stennis Space Center\nHead, Goddard Institute for Space Studies\nManager, KSC VLS Resident Office (Vandenberg AFB)\nManager, Michoud Assembly Facility\nManager, NASA Management Office-JPL\nManager, JSC White Sands Test Facility\n\nNASA Offices of Inspector General\n\nAmes Research Center\nGoddard Space Flight Center\nJet Propulsion Laboratory\nJohn F. Kennedy Space Center\nLangley Research Center\nLewis Research Center\nGeorge C. Marshall Space Flight Center\nJohn C. Stennis Space Center\n\n                                           A-4-1\n\x0cJohnson Space Center Officials\n\nCode AI/Chief Information Officer\nCode AI/JSC Computer Security Official\nCode BD/Audit Liaison Representative\nCode DA/Director, Mission Operations Directorate\nCode DB/Chief, Systems Development and Operations Division\nCode DB/ SPF Resident Office Manager\nCode JA/Director, Center Operations Directorate\nCode MA/Manager, Space Shuttle Program\n\nChairman and ranking minority member of each of the following congressional\ncommittees and subcommittees\n\nSenate Committee on Appropriations\nSenate Subcommittee on VA-HUD-Independent Agencies\nSenate Committee on Commerce, Science and Transportation\nSenate Subcommittee on Science, Technology and Space\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on VA-HUD-Independent Agencies\nHouse Committee on Government Reform and Oversight\nHouse Committee on Science\nHouse Subcommittee on Space and Aeronautics\n\nNon-NASA Federal Organizations and Individuals:\n\nAssistant to the President for Science and Technology Policy\nDeputy Associate Director, Energy and Science Division, Office of Management and Budget\nBudget Examiner, Energy Science Division, Office of Management and Budget\nAssociate Director, National Security and International Affairs Division, General Accounting\nOffice\nSpecial Counsel, Subcommittee on National Security, International Affairs and Criminal Justice\nProfessional Assistant, Senate Subcommittee on Science, Technology, and Space\nProfessional Assistant, Subcommittee on Science, Technology, and Space c/o Tom Cooley\n\nCongressional Members:\n\nHonorable Pete Sessions, U.S. House of Representatives\n\n\n\n\n                                             A-4-2\n\x0cMAJOR CONTRIBUTORS TO THE REPORT\n\n\nJOHNSON SPACE      Brenda K. Conley, Auditor-in-Charge\nCENTER\n\nNASA               Gregory B. Melson, Program Director - Information Technology\nHEADQUARTERS       Audits\n\x0c"